ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Is Open Source Really So Much More Secure By Nature

    Scheduled Pinned Locked Moved Water Closet
    202 Posts 13 Posters 35.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ObsolesceO
      Obsolesce @1337
      last edited by Obsolesce

      @Pete-S said in Is Open Source Really So Much More Secure By Nature:

      This is also interesting.

      alt text

      I don't get this chart. For example, what is Debian Linux versus Linux kernel vulnerabilities? And why is each windows OS listed separately when others are not? Windows should be at the top of the list by miles lol.

      1 Reply Last reply Reply Quote 2
      • 1
        1337 @DustinB3403
        last edited by

        @DustinB3403 said in Is Open Source Really So Much More Secure By Nature:

        What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
        For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)

        Well, I'm not happy about it because it would suggests a lack of quality control.

        I don't see OpenBSD on the list for instance.

        DustinB3403D scottalanmillerS 4 Replies Last reply Reply Quote 0
        • DustinB3403D
          DustinB3403 @1337
          last edited by DustinB3403

          @Pete-S said in Is Open Source Really So Much More Secure By Nature:

          @DustinB3403 said in Is Open Source Really So Much More Secure By Nature:

          What is being listed here is known vulnerabilities, I for one am rather happy to know that these systems have these many known vulnerabilities.
          For every known issue, there could be an additional 100 or 1000 or more (for Windows, OSX and Linux)

          Well, I'm not happy about it because it would suggests a lack of quality control.

          I don't see OpenBSD on the list for instance.

          Sure, but you have to ask the NIST and TNVD what they were evaluating against. Just because something isn't on the list doesn't mean that it's more or less secure.

          Looking at the list, I would see this more as a veil that is preventing more issues from being discovered. Closed source software makes such list misleading, because there are so many things that simply aren't known.

          1 Reply Last reply Reply Quote 2
          • scottalanmillerS
            scottalanmiller @1337
            last edited by

            @Pete-S said in Is Open Source Really So Much More Secure By Nature:

            This is also interesting.

            alt text

            Notice that they split out every version and edition of Windows but lump all of Debian Linux into one thing. If you add up the Windows, it blows Debian out of the water in terms of vulnerabilities.

            Also, it's fake data. Open source vulnerabilities are disclosed, closed source typically are not. So there's no way for anyone but Microsoft to know the real numbers for Windows. We know for a fact that Microsoft has hidden vulnerabilities in the past, and it's the natural thing to do to continue to hide any that you can (typically by silently fixing them) rather than announcing the you found a mistake (and thereby telling malicious actors who they can prey on and how.)

            Bottom line is... this shows nothing. There's no possible way to have true data on this. Even Microsoft would struggle to have real numbers.

            Also, it shows only what is found, not how many there are. So high numbers can be good, rather than bad.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @1337
              last edited by

              @Pete-S said in Is Open Source Really So Much More Secure By Nature:

              I don't see OpenBSD on the list for instance.

              Because it's not a big product. I don't see Solarwinds on the list, doesn't make it secure.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @1337
                last edited by

                @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                Well, I'm not happy about it because it would suggests a lack of quality control.

                Actually, it suggests absolutely nothing. We don't know how the data is collected. We don't know what it reflects. And we don't know the true numbers.

                While marginally one can say it is "interesting", the one definitive thing that we can say is that it is meaningless.

                The discussion is literally about "systems we can know things about" versus "things we can't know things about." Then to provide a list purporting to know the unknowable means that the list is worthless. And that's assuming we know exactly how the data is collected.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @1337
                  last edited by

                  @Pete-S I think if you look at that list and think about it, you'd see just how dramatically that list is telling us that open source is winning on vulnerabilities. Now, I still stand by my statement that the list is utter gibberish and means literally nothing whatsoever, BUT, let's assume that it means something and that the numbers are all true and directly comparable.

                  Now, let's look at the numbers that are bad enough to make the 2019 list (notice Linux isn't even on the list, it's all Windows and OMG cPanel!!!) with Fedora at 184 and Windows Server 2016 at 360. Fedora includes Linux, plus lots of other things, and includes every version of Fedora (about 31 releases in 2019.) Windows Server 2016 is a single release by comparison.

                  Now let's look at the size of the two. Fedora isn't just the tiny footprint that Windows is, no. It includes databases, video games, multiple products in every category... Windows Server 2016 is between 2-6GB. Each release of Fedora is around 250GB. It's apples to oranges. Windows is a tight OS with very few "extra packages" included in the OS. Sure it has Notepad, but the amount of bloat is small (in the OS itself.) Fedora may not install much by default if you don't want it to, but the entire OS is as much as 100x the size of Windows. Windows Server doesn't include Exchange or SQL Server. But Fedora includes several competitors to Exchange and myriad competitors to SQL Server, as examples. Plus half a dozen commercial video editors. Multiple web browsers, and on and on. Windows Server is also just the server release, but Fedora has Workstation, Cloud, and Server all lumped together as well.

                  That a single release of Windows Server has even 2% the vulnerabilities of the entire Fedora ecosystem collectives would be something. But that it has twice as many, lol. With some perspective, it's downright staggering how many more vulnerabilities Windows has per line of code.

                  DustinB3403D 1 2 Replies Last reply Reply Quote 0
                  • DustinB3403D
                    DustinB3403 @scottalanmiller
                    last edited by

                    @scottalanmiller I was reading an article (someone posted here) from a MS dev, who said they just refuse to update because they are forced to maintain their one piece of the pie. So even big vulnerability issues, they "find a reason to not accept or allow any changes"

                    Which is way more surprising.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @DustinB3403
                      last edited by

                      @DustinB3403 said in Is Open Source Really So Much More Secure By Nature:

                      @scottalanmiller I was reading an article (someone posted here) from a MS dev, who said they just refuse to update because they are forced to maintain their one piece of the pie. So even big vulnerability issues, they "find a reason to not accept or allow any changes"

                      Which is way more surprising.

                      Not really surprising. In an org of that size, no one has ownership of the big picture. Everyone is tasked with getting their one little piece out the door, meeting deadlines, doing as they are told. Their devs make their money by obeying marching orders, not being rockstars. There's no glamour there, because they are not listed publicly. Do a good job, no one cares. Do something wrong that you weren't told to do, lose your job. At that scale, it's all but impossible to not have politics and playing to the middle not be what drives the organization. They are just too big to attempt excellence, and they know that.

                      MS doesn't, and never has, made their money off of being a good product. They make it off of market momentum and marketing. Always have. Their customers have never chosen them because they are fast, secure, or feature rich. Primarily, they are pushed by vendors who resell their software and can't make the same margins on something free. So no Linux distro gets the same love from sales people, because Linux lacks both the initial sales margins (as well as the licensing consulting fees) and as many follow up support hours.

                      1 Reply Last reply Reply Quote 1
                      • 1
                        1337 @scottalanmiller
                        last edited by 1337

                        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                        @Pete-S I think if you look at that list and think about it, you'd see just how dramatically that list is telling us that open source is winning on vulnerabilities. Now, I still stand by my statement that the list is utter gibberish and means literally nothing whatsoever, BUT, let's assume that it means something and that the numbers are all true and directly comparable.

                        Now, let's look at the numbers that are bad enough to make the 2019 list (notice Linux isn't even on the list, it's all Windows and OMG cPanel!!!) with Fedora at 184 and Windows Server 2016 at 360. Fedora includes Linux, plus lots of other things, and includes every version of Fedora (about 31 releases in 2019.) Windows Server 2016 is a single release by comparison.

                        Now let's look at the size of the two. Fedora isn't just the tiny footprint that Windows is, no. It includes databases, video games, multiple products in every category... Windows Server 2016 is between 2-6GB. Each release of Fedora is around 250GB. It's apples to oranges. Windows is a tight OS with very few "extra packages" included in the OS. Sure it has Notepad, but the amount of bloat is small (in the OS itself.) Fedora may not install much by default if you don't want it to, but the entire OS is as much as 100x the size of Windows. Windows Server doesn't include Exchange or SQL Server. But Fedora includes several competitors to Exchange and myriad competitors to SQL Server, as examples. Plus half a dozen commercial video editors. Multiple web browsers, and on and on. Windows Server is also just the server release, but Fedora has Workstation, Cloud, and Server all lumped together as well.

                        That a single release of Windows Server has even 2% the vulnerabilities of the entire Fedora ecosystem collectives would be something. But that it has twice as many, lol. With some perspective, it's downright staggering how many more vulnerabilities Windows has per line of code.

                        Well, you said vulnerabilities doesn't mean it less secure! Awesome! And you don't know how many lines of code there is in Windows. Or do you have access to the source? Some Windows customers do.

                        As far as I know there is NO research that shows that open source products are more or less secure than close source products. The only research I've seen shows that there is no advantage to either system over the other.

                        So the correct answer to the OPs question is "No, there is no evidence that suggests open source is more or less secure by nature".

                        And before you start hammering on the keyboard - arguments and opinion is not proof.

                        scottalanmillerS 3 Replies Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @1337
                          last edited by

                          @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                          And you don't know how many lines of code there is in Windows. Or do you have access to the source?

                          You can tell from the size of the compiled code within reason. So yes, we do know in a practical sense, very much so.

                          1 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @1337
                            last edited by

                            @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                            As far as I know there is NO research that shows that open source products are more or less secure than close source products. The only research I've seen shows that there is no advantage to either system over the other.

                            LOL, no, that's not what research says. And you just provided great examples that demonstrate why.

                            Closed source can be secure, but it always is at a security disadvantage as closed source is inherently harder to secure than open source.

                            1 1 Reply Last reply Reply Quote 0
                            • 1
                              1337 @scottalanmiller
                              last edited by

                              @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                              @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                              And you don't know how many lines of code there is in Windows. Or do you have access to the source?

                              You can tell from the size of the compiled code within reason. So yes, we do know in a practical sense, very much so.

                              Then windows is have much more lines of code in it. Install a minimal base system and compare.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @1337
                                last edited by

                                @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                So the correct answer to the OPs question is "No, there is no evidence that suggests open source is more or less secure by nature".

                                It's the opposite. All logic, common sense, industry observation and the example you gave all show the opposite.

                                1 Reply Last reply Reply Quote 0
                                • 1
                                  1337 @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                  Closed source can be secure, but it always is at a security disadvantage as closed source is inherently harder to secure than open source.

                                  Just arguments and no proof yet again 🙂

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @1337
                                    last edited by

                                    @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                    Then windows is have much more lines of code in it. Install a minimal base system and compare.

                                    Not a minimal base system... the whole OS. Windows is around 5GB. Fedora is around 250GB. Are you not reading the examples?

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @1337
                                      last edited by

                                      @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                      @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                      Closed source can be secure, but it always is at a security disadvantage as closed source is inherently harder to secure than open source.

                                      Just arguments and no proof yet again 🙂

                                      No, we provided the proofs. Just because the closed source camp withholds the proof that you decide we need doesn't change the facts. It only supports them.

                                      1 1 Reply Last reply Reply Quote 0
                                      • 1
                                        1337 @scottalanmiller
                                        last edited by 1337

                                        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                        @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                        @scottalanmiller said in Is Open Source Really So Much More Secure By Nature:

                                        Closed source can be secure, but it always is at a security disadvantage as closed source is inherently harder to secure than open source.

                                        Just arguments and no proof yet again 🙂

                                        No, we provided the proofs. Just because the closed source camp withholds the proof that you decide we need doesn't change the facts. It only supports them.

                                        That's a sad argument and false. You have provided zero proof, because there are none.

                                        Just show us just one simple peer reviewed research paper that shows us that open source is more secure by nature.

                                        PS. And I'm the open source camp btw.

                                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          Here's the basics....

                                          The only side that demands a certain style of proof, is the same side that refuses to provide it - using the withholding of their chosen proof as foundation for the claim that there isn't any proof and therefore their stated "they are the same" stands until such time as they provide whatever proof they claim is required.

                                          In the real world, we don't need that proof. All evidence, all common sense, all honest evaluation points 100% to open source being the better license for security.

                                          There can be no "proof" in code for reasons anyone that knows anything about IT or software would know and would never need explained - because no code can be developed the same in both for comparison. We can only use logic and common sense to show what is fact, and then check that observation shows these factors to play out as expected, which Pete provided dramatic evidence to support, as an example.

                                          There's so much proof it's no longer worth discussing. Trying to claim that there isn't overwhelming proof is absurd. The whole point is that closed source can't be trusted because it's using obscurity not only against malicious actors, but against its own clients!

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @1337
                                            last edited by

                                            @Pete-S said in Is Open Source Really So Much More Secure By Nature:

                                            That's a sad argument and false. You have provided zero proof, because there are none.

                                            YOU provided proof yourself!

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 6
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 8 / 11
                                            • First post
                                              Last post